Our GraphQL libraries were 2+ years outdated with active CVEs. The fast fix was obvious. The right fix was harder to justify — until you see what the fast fix actually leaves behind.
This was a compliance-regulated system. Security gaps weren't theoretical risks — they were audit findings waiting to happen and potential regulatory exposure for every customer on the platform.
You're the lead engineer at a SaaS company running a compliance platform. Your GraphQL stack is 2+ years outdated. You have active CVEs: a DoS vulnerability via malicious file uploads and SQL injection risks in your type system. A compliance audit is scheduled. Your team has limited capacity. What do you do?
No hints. Just judgment.
Patch-level updates feel responsible — they address the named CVEs, they're fast, and they carry low risk. But they leave deprecated WebSocket transport, unstable pre-release code, and outdated upload patterns in place. You've closed the specific vulnerabilities while keeping the conditions that produced them. The next engineer encounters a slightly cleaner version of the same problem, under tighter time pressure.